encrypted fields map != encrypted fields

aclark4life · aclark4life · commit e988c55b0e59 · 2025-08-27T06:37:47.000-04:00
The spec says: "encryptedFieldsMap maps a collection namespace to an
encryptedFields."

In this commit, we clarify the distinction between encrypted fields map
and encrypted fields.
diff --git a/django_mongodb_backend/management/commands/showencryptedfieldsmap.py b/django_mongodb_backend/management/commands/showencryptedfieldsmap.py
@@ -41,7 +41,7 @@ def handle(self, *args, **options):
             for app_config in apps.get_app_configs():
                 for model in router.get_migratable_models(app_config, db):
                     if model_has_encrypted_fields(model):
-                        fields = editor._get_encrypted_fields_map(
+                        fields = editor._get_encrypted_fields(
                             model, client, create_data_keys=create_data_keys
                         )
                         encrypted_fields_map[model._meta.db_table] = fields
diff --git a/django_mongodb_backend/schema.py b/django_mongodb_backend/schema.py
@@ -429,7 +429,7 @@ def _create_collection(self, model):
         Create a collection for the model with the encrypted fields. If
         provided, use the `_encrypted_fields_map` in the client's
         `auto_encryption_opts`. Otherwise, create the encrypted fields map
-        with `_get_encrypted_fields_map`.
+        with `_get_encrypted_fields`.
         """
         db = self.get_database()
         db_table = model._meta.db_table
@@ -443,18 +443,16 @@ def _create_collection(self, model):
                 )
             encrypted_fields_map = getattr(auto_encryption_opts, "_encrypted_fields_map", None)
             if not encrypted_fields_map:
-                encrypted_fields_map = self._get_encrypted_fields_map(
-                    model, client, create_data_keys=True
-                )
+                encrypted_fields = self._get_encrypted_fields(model, client, create_data_keys=True)
             else:
-                # If the encrypted fields map is provided, get the map for the
+                # If the encrypted fields map is provided, get the encrypted fields for the
                 # specific collection.
-                encrypted_fields_map = encrypted_fields_map.get(db_table)
-            db.create_collection(db_table, encryptedFields=encrypted_fields_map)
+                encrypted_fields = encrypted_fields_map.get(db_table)
+            db.create_collection(db_table, encryptedFields=encrypted_fields)
         else:
             db.create_collection(db_table)
 
-    def _get_encrypted_fields_map(self, model, client, create_data_keys=False):
+    def _get_encrypted_fields(self, model, client, create_data_keys=False):
         connection = self.connection
         fields = model._meta.fields
         options = client._options
diff --git a/tests/encryption_/test_schema.py b/tests/encryption_/test_schema.py
@@ -7,18 +7,18 @@
 class SchemaTests(QueryableEncryptionTestCase):
     maxDiff = None
 
-    def test_get_encrypted_fields_map(self):
+    def test_get_encrypted_fields(self):
         """
         Test class method called by schema editor and management command to get
-        encrypted fields map for `create_collection` and `auto_encryption_opts`
-        respectively. There are no data keys in the results.
+        encrypted fields for `create_collection` and `auto_encryption_opts`
+        respectively.
 
-        Data keys for the schema editor are created by
-        `create_encrypted_collection` and data keys for the management command
-        are created by the management command using code similar to the code in
-        create_encrypted_collection` in Pymongo.
+        This method is called per collection when creating a new collection and
+        per database when setting up auto encryption options.
+
+        Data keys are not tested here as they are expected to differ each time.
         """
-        expected_encrypted_fields_map = {
+        expected_encrypted_fields = {
             "fields": [
                 {
                     "bsonType": "long",
@@ -54,11 +54,11 @@ def test_get_encrypted_fields_map(self):
         connection = connections["encrypted"]
         with connection.schema_editor() as editor:
             client = connection.connection
-            encrypted_fields_map = editor._get_encrypted_fields_map(Patient, client)
-            for field in encrypted_fields_map["fields"]:
+            encrypted_fields = editor._get_encrypted_fields(Patient, client)
+            for field in encrypted_fields["fields"]:
                 # Remove data keys from the output; they are expected to differ
                 field.pop("keyId", None)
             self.assertEqual(
-                encrypted_fields_map,
-                expected_encrypted_fields_map,
+                encrypted_fields,
+                expected_encrypted_fields,
             )

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ def handle(self, args, *options):`
`41`	`41`	`for app_config in apps.get_app_configs():`
`42`	`42`	`for model in router.get_migratable_models(app_config, db):`
`43`	`43`	`if model_has_encrypted_fields(model):`
`44`		`- fields = editor._get_encrypted_fields_map(`
	`44`	`+ fields = editor._get_encrypted_fields(`
`45`	`45`	`model, client, create_data_keys=create_data_keys`
`46`	`46`	`)`
`47`	`47`	`encrypted_fields_map[model._meta.db_table] = fields`